WASHINGTON—Saying that losses due to cyber-attacks could cost the U.S. economy more than $400 billion this year, Senator Diane Feinstein (D-CA) argued passionately for final approval of the Cybersecurity Information Sharing Act, which was passed by the Senate at the end of October.
Quoting studies from the McAfee on the costs of cyber-crime, Feinstein listed a series of cyber-attacks, including one in 2012 on Saudi Arabia’s Aramco Oil Company that wiped out three-quarters of its computers.
“It’s only a matter of time before they progress to our critical infrastructure,” she said. Senator Feinstein was speaking to a small group of executives at the offices of Arent Fox, a law firm with offices here. Feinstein highlighted what she regards as one of the strengths of the bill as passed by the Senate. “We crafted a bill that got 74 votes on the senate floor,” she said.
Despite the fact that the bill has already passed both the House of Representatives and the Senate, it has yet to reach President Barack Obama’s desk for a signature, which means it’s not even close to becoming law. The next step in that process is to send it to a joint conference committee to resolve differences between the versions of the act passed by the House and Senate.
This task was made more complicated because the House actually passed two versions of the CISA Bill, so both of the House versions have to be reconciled with the Senate version.
The conference committee has yet to meet to consider reconciliation. In fact, the conferees to the committee have yet to be named. Normally this isn’t a big deal, but this is the end of the year and Congress will remain in session only four more weeks before it adjourns for the year.
Consider that the House and Senate only actually work three days a week, and it’s apparent that there are only 12 more working days for all of this to happen.
Of course it could actually happen quickly, if the conference committee members are promptly named, since the differences among the three versions of the bill are minor. But will it happen? The chances aren’t good and it’s more likely the legislation will be kicked down the road until 2016.
One of the things that Sen. Feinstein is worried about is that big opponents of the bill, including many in the tech industry and many more who are privacy advocates, will oppose the bill when it comes out of conference, and they will work to get it killed then.
Once approved, bills emerging from the conference committee can’t be amended, and the opposition may be slightly more effective.
For this reason, Sen. Feinstein went into detail about the privacy protections contained in the Senate version of the bill, most of which are in the House version. She pointed out that the bill requires personally identifiable data to be stripped from any threat information that’s shared with the government or other companies.
Senator Feinstein Pushes for Final Passage of Cyber-Security Bill
She also noted that CISA requires the assembly of a secure data portal run by the Department of Homeland Security that is supposed to ensure that personally identifiable information doesn’t pass through to government agencies or corporations.
The portal, she said, would support a common set of procedures for sharing information with private companies and for sharing within the government. Threat data would be shared under the safeguards that were put in place under the bill, she observed.
Feinstein talked about the next steps to be considered, noting that the Internet was designed without security in mind. She said that what is really needed is a new version of the Internet that is designed to provide a higher level of security.
Feinstein said she didn’t think it was possible for the current version of the Internet and a new, more secure version to exist simultaneously. She speculated that if a new version of the Internet were to be introduced, there would have to be a total cut-over, from one version to the other.
On the issue of global cyber-security, the senator said what is lacking so far is agreement on international norms for security and for how nations respect the data systems of other nations. She said this is the only way to get China, North Korea and other nations to stop raiding U.S. companies for information.
So I asked the Senator what she was planning in terms of legislation to enable this agreement on international norms. She turned the question around, and asked me what I thought. First I tried to explain that I couldn’t. “I’m a journalist,” I explained. “It’s my job to pass the buck to the legislators.”
Senator Feinstein was having none of that. “Oh, come on,” she said staring at me, “you need to answer my question.”
So I explained that right now, the U.S. is spying on foreign countries as much as they are spying on us. “We’re effectively establishing international norms right now,” I said. “We’re setting the example for the Chinese and others. Shouldn’t there be some legislation that controls how we act in relation to other countries as a way to raise those international norms?”
“I hadn’t thought of that,” Feinstein said, looking at me again, “I’ll take a look at that.”
Does that mean I just initiated a new round of cyber-security laws? Probably not. Congress isn’t known for adopting the ideas of journalists or other outsiders.
But I think that if we expect other nations to respect our cyber-security, we have to do the same thing. The world is too small to think that only the U.S. can spy on nations, but that others can’t spy on the U.S.. But what do I know? I’m just a journalist.